Contents

Why use CIDR matching

CIDR patterns are a quick and easy way of matching a range of IP addresses. This can be particularly useful when dealing with ISPs which allocate dynamic IP addresses to their users. Users can easily change IP address by restarting their routers, but the addresses they get are typically within a relatively small range. CIDR may allow a troublesome user to be banned with a few patterns rather than a large number of individual zlines.

How to use CIDR

IPv4

A CIDR pattern looks something like this:

a.b.c.d/e

The first part, a.b.c.d, is simply a normal IPv4 IP address. The interesting part is the 'e'. This number specifies how many bits of the first part -- a.b.c.d -- are significant when it comes to matching an IP against the pattern.
Right, that last part needs a little more explanation (if that made sense to you then you can stop reading now: you know CIDR, that's it). An IPv4 address is simply a 32 bit number, which happens to be written (by convention) as four 8 bit (0-255) numbers: the 'a', 'b', 'c' and 'd' above. We could also write an IPv4 address in binary:

00111100 10010001 00111000 11110110 (60.145.56.246)

Now when it comes to matching a CIDR pattern against an actual address, what the number after the / in the pattern ('e') specifies is how many bits (counting left to right) have to be the same for the address to match the pattern.

Because the 'e' value is 24, this means we only have to check the first 24 bits of the address. These are highlighted in bold above, and as you can see the first 24 bits are identical: the address matches the pattern.

You should be able to see that when 'e' is a multiple of 8 then a CIDR pattern behaves a little like a glob pattern would. 60.145.56.0/24 is equivalent to 60.145.56.*, 60.145.0.0/16 is equivalent to 60.145.*.* and so on.
However, CIDR is more flexible than glob matching (not to mention faster) because the 'e' value does not have to be a multiple of 8.
Take the pattern 60.145.56.224/27, or in binary form:

00111100 10010001 00111000 11100000

This pattern also matches our example IP address 60.145.56.246 because, as we can see:

IPv6

Examples may be added at a later date, but CIDR is fundamentally the same for IPv6 as it is for IPv4. The only differences are that, obviously, IPv6 addresses are longer (128 bits rather than 32 for IPv4) and they are written in a different form.

Warnings and Notes

/0 patterns

If you've read the above properly then it should be obvious that a /0 pattern ('e' = 0) is very rarely something you want. Such a pattern specifies that no bits have to be checked, hence all addresses will match a /0 pattern: akin to '*' as a mask. Very unlikely to be the intended result.

/32 patterns and /128 patterns

Again, this should be obvious from the above. A /32 pattern (For IPv4, 'e' = 32) or a /128 pattern (For IPv6, 'e' = 128) means that the entire address (32/128 bits for IPv4/6) will be matched. Therefore one of these patterns will only match exactly.